Flash Bug Prompts Calls for Code Rewriting

LOS ANGELES – According to Google, hundreds of thousands of vulnerable Flash files are currently on the Internet, including files found at a large number of major websites.

The danger stems from a Cross-Site Scripting (XSS) exploit of Shockwave Flash (SWF) files generated by most of the programs that create Flash applets that allows attackers to access data on targeted websites; such as usernames and passwords, or even performing unauthorized online banking transactions.

The problem may be particularly acute for adult website operators, who have increasingly made use of Flash technology in advertisements and video files and often rely on Adobe's popular DreamWeaver software for website development – one of the tools that generate the vulnerable files.

"If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application," Google's Rich Cannings wrote. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack)."

While security experts have warned of additional vulnerabilities, the XSS exploit was made public after companies such as Adobe updated their software to eliminate the bug.

Now, experts are recommending that all existing Flash files be removed from websites until they can be regenerated with the newest versions of these tools to address the issue.

Cannings also recommends that SWF files be served from numbered IP addresses or from separate domains from the site that features the Flash files.

"If there's an issue on a bank, the impact of an XSS is pretty large," Cannings said. "In other words, it's a huge amount of work, but well worth it for trusted sites that want to remain that way."

Expanding on the causes of the vulnerability, Cannings reported that DreamWeaver's "skinName" parameter can be used to load URLs containing the "asfunction" handler; while Adobe Acrobat Connect makes files that do not validate the "baseurl" parameter, which can allow malicious scripts to be injected into targeted websites.

The complete report can be read here.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Australian Conservatives Raise Concerns About US-Born Online Censor

Long after progressive free speech advocates in Australia questioned E-Safety Commissioner Julie Inman Grant over her campaigns to target adult content, conservatives and libertarians are now raising concerns about the powers granted to the country’s top censor — an unelected former tech exec born in the U.S. — with some calling for her ouster.

Cupcake Girls, Aylo Partner on Educational Video Series for Performers

The Cupcake Girls and Aylo have teamed up to produce a series of educational videos focused on safety standards for adult performers.

My.Club Appoints Nicole Aniston Newest Brand Ambassador

My.Club has named Nicole Aniston its newest brand ambassador.

Elevated X Implements Age Verification Solution, Integration API

Elevated X is now offering age verification services (AVS) through an API.

MojoHost Unveils 'Star Wars Day' Promo

MojoHost will celebrate “Star Wars Day” on Saturday by offering a special discount on new purchases of dedicated servers, VPS and CDN prepay plans throughout the month of May.

2024 XBIZ Miami Show Schedule Announced

XBIZ is pleased to announce the release of the full show schedule for XBIZ Miami, the adult industry's biggest summer conference, set to take place May 13-16.

Video: FSC's Alison Boden Testifies Before California Assembly Committee Regarding Age Verification

Free Speech Coalition Executive Director Alison Boden testified before the California Assembly Judiciary Committee on Tuesday, in opposition to the state’s version of the age verification bills being sponsored around the country by anti-porn religious conservative activists.

Princess Mindy Is LoyalFans' 'Featured Creator' for May

LoyalFans has named Princess Mindy as its Featured Creator for May.

Republicans Behind Oklahoma's New Age Verification Law Gleeful About Potential Pornhub 'Exit'

Republican Gov. Kevin Stitt has signed into law Oklahoma’s version of the age verification legislation being sponsored around the country by anti-porn religious conservative activists.

Woodhull Freedom Foundation Debuts 'Fact Checked by Woodhull' Program

The Woodhull Freedom Foundation has launched its new "Fact Checked by Woodhull" program, which uses peer-reviewed research, compiled and analyzed by professional researchers, to debunk myths weaponized to justify the repression of sex, sexuality and gender expression.

Show More